bobbear Posted April 29, 2006 Share Posted April 29, 2006 Like most people, I occasionally get the odd few misdirected 'non-delivery' bounces from mail systems due to my address having been forged in the 'From' or 'Return Path' fields of the original spam but I've always decided not to bother reporting them under the 'new' rules as they haven't been too much of a problem and I hesitate to report legitimate mailing systems even though such a bouncing practice is considered 'not a good thing'™ Recently however I have been getting annoyingly large numbers of these misdirected bounces from 'pump & dump' stock scam spam runs and am considering reporting them. On most of them the original spam is returned intact as an attachment and I could actually report the original spam rather than the bounce itself which on the face of it seems a more sensible thing to do as it reports the original spammer source network etc rather than just the network of the mail system that bounced it. I could even report both, but I thought I'd check what the general feeling is about doing whatever before doing it...... Link to comment Share on other sites More sharing options...
Wazoo Posted April 29, 2006 Share Posted April 29, 2006 Strictly by the (current) Rules ..... stripping the "original" spam out of your 'bounced' spam would fall under the "material alteration" part of the "thou shalt not do this" in the 'agreement' / terms of service .... Not reporting it 'as-is' does nothing to get the ISP involved to catch with today's world and 'fix' that server. There is nothing stopping one from manually reporting. Link to comment Share on other sites More sharing options...
bobbear Posted April 30, 2006 Author Share Posted April 30, 2006 Strictly by the (current) Rules ..... stripping the "original" spam out of your 'bounced' spam would fall under the "material alteration" part of the "thou shalt not do this" in the 'agreement' / terms of service .... Not reporting it 'as-is' does nothing to get the ISP involved to catch with today's world and 'fix' that server. There is nothing stopping one from manually reporting. 42422[/snapback] [Para1] That's what I wondered, so so far I've just deleted them pro-tem - available time is a bit of a problem for me for manually reporting the original spam at the moment. Mind, it's debatable if it's 'material alteration' as the original spam is unaltered in any way, but all points of view are appreciated & if that's the accepted view then its OK by me! [Para2] I appreciate how mailserver anti-spam bounces are undoubtedly a 'bad thing' & really adds to the problem, but there seems to me to be a bit of a divide on non-delivery bounces and I can see both sides of the argument - on one side such bounces just add to the problems caused by spam forgers, but on the other hand I want to know if my superbly helpful & constructive email to Bill Gates has not been delivered, (not to mention half my manual reports to abuse teams for one reason or another....) Link to comment Share on other sites More sharing options...
Wazoo Posted April 30, 2006 Share Posted April 30, 2006 [Para1]Mind, it's debatable if it's 'material alteration' as the original spam is unaltered in any way, but all points of view are appreciated & if that's the accepted view then its OK by me! People have done this. Some people have "gotten away" / "had no problem" doing this. The flip side has always been .... Some folks don't know enough about the specifics, delete a line too many or too few, don't delete something / some data correctly, started working with an e-mail that had actually been altered on it's travels through the servers involved ... and when their reports cause some problems or get challeneged, the 'current' No alterations makes it easy for Don/Deputies to make the decision about the status of or fine to be applied to a Reporting account. [Para2] I appreciate how mailserver anti-spam bounces are undoubtedly a 'bad thing' & really adds to the problem, but there seems to me to be a bit of a divide on non-delivery bounces and I can see both sides of the argument - on one side such bounces just add to the problems caused by spam forgers, but on the other hand I want to know if my superbly helpful & constructive email to Bill Gates has not been delivered, (not to mention half my manual reports to abuse teams for one reason or another....) 42426[/snapback] Yes, the debate continues ... Basically, the RFCs involved are still premised on the game plan that "the network" can survive the nuclear obliteration of some major continental portions of the U.S. in order to allow continued communications between various parts, components, and entities of the U.S. Government. You might have noticed that "the network" has changed a bit, "membership" has much expanded from that basic core of U.S. Government entities, Academics, and a very few corporations. And along wih this increase in "membership" comes along the extra baggage of opening up the thing to those that choose to take advantage of the "trusted" status once automatically assumed/granted to users. Bottom line, "the network" has been around for close to a couple of decades now, but it wasn't until the last couple of years that spammers started abusing e-mail servers this way. Note that this was after they had ruined other original concepts based on both trust and the desire for continued communicarions even if part of the network no longer existed ... open relays for instance ... once assumed to be the mandatory norm, now a reason to be held up as a sign of Admin incompetence. Link to comment Share on other sites More sharing options...
agsteele Posted April 30, 2006 Share Posted April 30, 2006 ...it's debatable if it's 'material alteration' as the original spam is unaltered in any way, but all points of view are appreciated & if that's the accepted view then its OK by me!42426[/snapback] I think the issue would be that you did not receive the original spam item and, therefore, your report of the original spam would not be legitimate. Your complaint, in this instance, is that the bounces are causing you a problem so the correct this is to report the bounces by some means. However, I'm with you in general. I'm not sure that reporting misdirected bounces does much good as far as reducing the problem, it can cause anger, upset and misunderstanding and has often gained the cause of spam filtering a bad name. So my personal preference is to delete and forget but each to his/her own... Andrew Link to comment Share on other sites More sharing options...
bobbear Posted April 30, 2006 Author Share Posted April 30, 2006 I think the issue would be that you did not receive the original spam item and, therefore, your report of the original spam would not be legitimate. Your complaint, in this instance, is that the bounces are causing you a problem so the correct this is to report the bounces by some means. However, I'm with you in general. I'm not sure that reporting misdirected bounces does much good as far as reducing the problem, it can cause anger, upset and misunderstanding and has often gained the cause of spam filtering a bad name. So my personal preference is to delete and forget but each to his/her own... Andrew 42429[/snapback] [Para 1] Yes, that is the main issue in my mind, (i.e. the fact that the original spam was not addressed to me), but undoubtedly the bounce and the resulting problem to me was the result of the spammer sending the spam in the first place and thus it is arguable that if I can report the original spam with no material alteration, (as a result of it being attached to the bounce in its original form), then perhaps that is the best course of action, but I have no intention of going against the Spamcop guidelines on this - hence my enquiry. At the moment, like you, I just delete and try to forget... [Para 2] Agreed - reporting non-delivery bounces can undoubtedly cause "anger, upset and misunderstanding" and I'm reluctant to do it. Mail non-delivery responses can be useful. I had a case last week where I submitted several money transfer scam site abuse reports to OnlineNIC who are normally superbly proactive & helpful and I received a couple of bounces because their mail delivery system had a problem. I was grateful to receive those bounces as it meant I could later re-submit the reports which resulted in a couple of criminal fraud sites being taken down. Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 30, 2006 Share Posted April 30, 2006 Agreed - reporting non-delivery bounces can undoubtedly cause "anger, upset and misunderstanding" and I'm reluctant to do it. Mail non-delivery responses can be useful. I had a case last week where I submitted several money transfer scam site abuse reports to OnlineNIC who are normally superbly proactive & helpful and I received a couple of bounces because their mail delivery system had a problem. I was grateful to receive those bounces as it meant I could later re-submit the reports which resulted in a couple of criminal fraud sites being taken down. There are two kinds of non-delivery 'bounces' - the first rejects the message at the server level and returns to the address that sent it; the second accepts the message and sends a new email to the return path or From. The latter is what causes all the problems with spam since the return path or From is forged. When spamcop first started, 'anger, upset, and misunderstanding' were the norm for those who had not kept up on 'best practices for mailing lists' The second kind of bounce was even defended by spamcop deputy as a 'good' thing before the problem escalated. Those who are angered and upset by having the 'bad' bounces reported are like the mailing list operators who had been running a legitimate mailing list for some time with no problem until people started changing addresses to avoid spam and new people started getting mailings they didn't sign up for and other such problems that required that mailing list operators use confirmed subscription and delete addresses that bounced. My point is that if admins are still using the second kind of bounce, they can be angry and upset, but they need to realize that they are behind the times. Many calm down and are grateful that they have learned something. If you want to avoid the 'anger and upset' then try reporting as many as you can manually. That's what I did before spamcop changed the rules to include misdirected bounces. I explained that what they were doing was as annoying as getting direct spam. There is little point in reporting the original spam. For legitimate admins who will do something about it, they probably have already been notified and done something. For the others, your report probably won't make a difference in how long they are on the blocklist since so many are reported. And, for that matter, many probably go to admins who have compromised machines on their network and that causes 'anger and upset' also. spam is increasingly either coming from out and out criminals or from incompetent admins. IMHO, there is nothing wrong with causing 'anger and upset' for either. Miss Betsy Link to comment Share on other sites More sharing options...
bobbear Posted April 30, 2006 Author Share Posted April 30, 2006 There are two kinds of non-delivery 'bounces' - the first rejects the message at the server level and returns to the address that sent it; the second accepts the message and sends a new email to the return path or From. The latter is what causes all the problems with spam since the return path or From is forged. I appreciate the distinction, but wouldn't "the address that sent it" be the 'Return path' field in the case of a serverside bounce? In any event, the distinction between a serverside bounce from a spam filter for example or a a user level 'out of office' bounce back to the 'From' or 'Reply To' field is irrelevant when my address is forged in every field in the header as are the ones I am receiving - I get the lot, whether serverside bounce or out of office bounce. spam is increasingly either coming from out and out criminals or from incompetent admins. IMHO, there is nothing wrong with causing 'anger and upset' for either.I certainly agree with the former, (out and out criminal fraud spam seems to be on the rise & increasingly complex), If it's a spamming incompetent mailing list administrator we're talking about, fair enough, he deserves a bit of "anger and upset", but I'm not sure I agree that causing "anger & upset" to an 'innocent' mailserver IT guy who perhaps simply has a different point of view on mailserver setup is going to prove productive. There is little point in reporting the original spam. For legitimate admins who will do something about it, they probably have already been notified and done something. Sorry, but I'm not sure I follow this - the spam attached to the bounce is hardly older than the original spam - the bounce occurs in real time. For the others, your report probably won't make a difference in how long they are on the blocklist since so many are reported. And, for that matter, many probably go to admins who have compromised machines on their network and that causes 'anger and upset' also. If that argument were true it would surely apply to all spam reporting. In any event it wouldn't be much of an admin that got upset at being informed of compromised machines on his network! Link to comment Share on other sites More sharing options...
Miss Betsy Posted May 1, 2006 Share Posted May 1, 2006 I appreciate the distinction, but wouldn't "the address that sent it" be the 'Return path' field in the case of a serverside bounce? In any event, the distinction between a serverside bounce from a spam filter for example or a a user level 'out of office' bounce back to the 'From' or 'Reply To' field is irrelevant when my address is forged in every field in the header as are the ones I am receiving - I get the lot, whether serverside bounce or out of office bounce. When non-delivery messages are useful, they are returned at the server level with a code. that code is delivered to the IP address that sent it. If it is a legitimate address, the system receiving it composes an email based on the code message and sends it to you. the 'bad' ones are received and then an email is sent to the return path which is not the IP address from which it came. I certainly agree with the former, (out and out criminal fraud spam seems to be on the rise & increasingly complex), If it's a spamming incompetent mailing list administrator we're talking about, fair enough, he deserves a bit of "anger and upset", but I'm not sure I agree that causing "anger & upset" to an 'innocent' mailserver IT guy who perhaps simply has a different point of view on mailserver setup is going to prove productive. There are no 'innocent' mailserver IT guys. They either understand that the 'bad' bounces are no longer useful or they don't. If they don't, they are behind the times and, therefore, incompetent. It is the same as with mailing lists. Mailing list admins either understand about confirmed subscription and deleting addresses that bounce or they don't. If they don't, they are not 'innocent' - they are incompetent. Sorry, but I'm not sure I follow this - the spam attached to the bounce is hardly older than the original spam - the bounce occurs in real time. If that argument were true it would surely apply to all spam reporting. In any event it wouldn't be much of an admin that got upset at being informed of compromised machines on his network! 42433[/snapback] If you are going to go to the trouble of manually extracting the spam, it would make more sense to manually send an explanation of why 'bad' bounces are bad. There are enough spam reporters to report spam that an extra 'manual' report is not going to make much difference. The more spam you report, the better, of course. But, particularly, for responsive admins, they undoubtedly have received a report before you have extracted the spam. There are many reporters who only report spam that makes it through the filters or only the 10 most recent. It all depends on how much time you want to devote to spam reporting. I was assuming that if you took extra time to report the bounces manually that you would not want to report the spam manually also. The reason they are upset is because they can't find any evidence and so don't believe it. 'Good' admins are going to be upset if they get a report of any kind. It is primarily a matter of calming them down and explaining how to fix it. Miss Betsy Link to comment Share on other sites More sharing options...
Paranoid2000 Posted May 4, 2006 Share Posted May 4, 2006 If you are going to go to the trouble of manually extracting the spam, it would make more sense to manually send an explanation of why 'bad' bounces are bad. There are enough spam reporters to report spam that an extra 'manual' report is not going to make much difference. The more spam you report, the better, of course. But, particularly, for responsive admins, they undoubtedly have received a report before you have extracted the spam.42450[/snapback] I've been seeing increasing numbers of bounces also and have just been adding the abuse address of the actual source (where the bounce includes the spam email headers - not all do!) and the postmaster address of the bouncing server (if a different domain from the abuse address used by SpamCop) to the report list (with a mention that the bounce was to a forged address). Given the increasing frequency of this, it would be nice if SpamCop's parser could recognise and handle this (most email software uses standard formats so expanding the parser to cover just these should provide maximum effectiveness for less effort). Any word on whether this is on SpamCop's to-do list? Link to comment Share on other sites More sharing options...
turetzsr Posted May 5, 2006 Share Posted May 5, 2006 <snip> Given the increasing frequency of this, it would be nice if SpamCop's parser could recognise and handle this (most email software uses standard formats so expanding the parser to cover just these should provide maximum effectiveness for less effort). Any word on whether this is on SpamCop's to-do list? 42581[/snapback] ...IIUC, SpamCop's official position on this is more or less as stated above 42429[/snapback] by Andrew. See SpamCop FAQ: On what type of email should I (not) use SpamCop? section labeled spam within other messages. Link to comment Share on other sites More sharing options...
Paranoid2000 Posted May 5, 2006 Share Posted May 5, 2006 ...IIUC, SpamCop's official position on this is more or less as stated above42429[/snapback] by Andrew.42585[/snapback] It is certainly "someone else's" spam as the FAQ points out, but it is also quite unlikely to have been reported (most getting the Delete treatment) and given that the majority of spam comes from hijacked PCs, should it not be desireable to get as many reported as possible? Link to comment Share on other sites More sharing options...
turetzsr Posted May 5, 2006 Share Posted May 5, 2006 It is certainly "someone else's" spam as the FAQ points out, but it is also quite unlikely to have been reported (most getting the Delete treatment) and given that the majority of spam comes from hijacked PCs, should it not be desireable to get as many reported as possible?42586[/snapback] ...That is a reasonable position to take but it is not SpamCop's position. Therefore, your recourse is to report manually. Link to comment Share on other sites More sharing options...
Wazoo Posted May 5, 2006 Share Posted May 5, 2006 Given the increasing frequency of this, it would be nice if SpamCop's parser could recognise and handle this (most email software uses standard formats so expanding the parser to cover just these should provide maximum effectiveness for less effort). Any word on whether this is on SpamCop's to-do list? 42581[/snapback] Though "most e-mail software may use standard formats" .... the handling of a bounce/non-delivery notification is all over the place. Some just send a little nte, some include the original e-mail in-line, some as an attachment, etc., etc., etc. Link to comment Share on other sites More sharing options...
Paranoid2000 Posted May 6, 2006 Share Posted May 6, 2006 Though "most e-mail software may use standard formats" .... the handling of a bounce/non-delivery notification is all over the place. Some just send a little nte, some include the original e-mail in-line, some as an attachment, etc., etc., etc. 42596[/snapback] Understood - thanks for the response. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.